Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4474
Views
0
Helpful
18
Replies

NAT between 2 subnets

Brett Martin
Level 1
Level 1

‎03-19-2015 03:02 PM - edited ‎03-05-2019 01:03 AM

Hello, 

I have subnets (LAN A and LAN B) on each side of an 819 router:

G0: IP=10.1.1.3/24 (LAN A)

F0: IP=172.16.0.3 (LAN B)

On each of these networks, there is an existing DFGW address programmed into the devices (PLC's) as 10.1.1.1 and 172.16.0.1 respectively.

I want PLC's on each subnet to talk to each other without sending packets to DFGW's.

On LAN A, I would like the PLC-A to feel like it is communicating directly with G0 IP address when in fact that packet gets sent out F0 with F0's IP to PLC-B. PLC-B responds to the F0 address (as it is in the same subnet) and the return packet gets Nat's back to the G0 IP address.

Is this doable? I think it is but I am struggling with implementing both port forwarding and NAt translations (double NAT)?

 

Thanks! Look forward to someone with some expertise in this area to help me out.

 

 

Labels:
0 Helpful
18 Replies 18

Jon Marshall
Hall of Fame
Hall of Fame
In response to Brett Martin

‎03-20-2015 12:24 PM

Is there any document you are aware of that simplifies some of the nat operations?

You seem to understand it pretty well to be honest :-)

There are two types of NAT, dynamic and static. Both your statements are static. This one -

ip nat inside source static tcp 10.33.5.2 502 10.64.41.196 502 extendable

needs to be a static because the traffic is arriving on the outside interface. You see this sort of statement quite often in configurations or something like it.

This one -

ip nat outside source static 10.64.41.194 10.33.5.80 add-route

is a lot less commonly used. Ideally what we wanted to do was do a dynamic NAT from outside to inside and change the outside IP to the router's inside interface IP.

But unfortunately IOS only supports this type of NAT ie. dynamic NAT overload from inside to outside and we are going outside to inside so we couldn't use it.

It has always been a but annoying that it doesn't because it would have made your setup and others simpler.

So we had to use the above and you have to add a route because of the reasons I explained in my previous post. It's basically the order that IOS does things in which direction.

That was why I was asking about which side initiated the connection because if it had been the PLC on the inside we could have used a dynamic NAT statement for it's IP as it went outside because it is supported and a static NAT statement (different from the one you have now) for PLC on the outside.

But as the flow was always outside to inside we couldn't.

NAT and what you can do with it can get complicated. And the NAT used on ASA firewalls is a completely different syntax than IOS NAT.

Here is a link to doc on IOS NAT that is a good overview -

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

unfortunately in my browser the pictures aren;t showing but they may in yours.

If you have any specific questions, then please feel free to ask.

Glad you got it working.

Jon

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Brett Martin

‎03-19-2015 05:07 PM

Brett

No I got it now thanks.

Final question.

Do you already have any "ip nat inside" or "ip nat outside" statements on your router ?

Jon

0 Helpful

Brett Martin
Level 1
Level 1
In response to Jon Marshall

‎03-19-2015 05:14 PM

I only have a nat inside only...:

 

I tried not to share the actual IP's but this statement below reflects the actual subnets in use.

LAN A (outside -10.64.x.x)

LAN B (inside- 10.33.x.x)

 

ip nat inside source static tcp 10.33.x.x 502 10.64.x.x  502 extendable  (where 10.33 is on Pembina side (inside) and 10.64 is on Nova outside of router)

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Brett Martin

‎03-19-2015 05:25 PM

Okay so for your current static as above you have "ip nat inside" and "ip nat outside" on the relevant interfaces.

Is that actually for the PLCs or do you still need a port translation for TCP 702 ?

I suspect it is and as you say the static translation for the inside PLC is the easy part.

The translation for the outside PLC is harder.

Ideally you want to simply do a dynamic NAT from outside to inside and overload on the inside interface IP. But IOS only supports that in the inside to outside direction.

So you can do a static NAT to the inside interface but that then means any traffic to the inside interface of the router is translated to the PLC on the outside which isn't what you want.

So unless we switch inside and outside around which presents it's own problems you mentioned you had a spare IP on the inside.

Is that definitely the case ?

Jon

0 Helpful
Customers Also Viewed These Support Documents